Feature Announcement: Content Security Policy (CSP)

    PCI Data Security Standard (PCI DSS) is a global standard that provides a baseline of technical and operational requirements designed to protect account data. An update to the standard PCI DSS is available as V4.0.

    To be able to comply with this standard, specifically on page 141, we are implementing a tool to be able to manage and control which scripts are running or having access to our platform.

    image-7 (10).png

    Level Of Impact

    Affected Interfaces

    Affected Users

    N/A

    Admin

    Administrators


    Solution

    We built an admin interface under Operations -> Platform Config -> Site -> Content Security Policy (CSP) settings

    This interface allows you to configure and manage each script running on your platform

    • Report blocked scripts in bugsnag – Controls whether CSP violations are sent to WebUI bugsnag at Jumbo.
    • Set policy to ‘report-only’ – Controls whether CSP violations are blocked or if they report only.
    • Sources for whitelisted scripts (‘script-src’) – List of user-defined sources that are concatenated together to make up the script-src directive of the content-security-policy header.

    image-6-1024x639.png

    Further documentation on how to use CSP features and implement them can be found here.


    Benefits

    Providing the capability to meet PCI-DSS v4 standards to be able to do a self-certification

    Possibility to meet compliance standards that may apply from the payment gateways or by payment card authorities

    Enuring the protection of all customer data with extra security feature implementations.

    Need To Know

    Was this article helpful?
    0 out of 0 found this helpful